MS admits planting secret password

Microsoft acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites world-wide.

The manager of Microsoft's security-response centre, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offence for the as yet unidentified employees.

The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory notice published on its corporate Web site. Microsoft urged customers to delete the computer file-called "dvwssr.dll"-containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions.

While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit-card numbers, said security experts who discovered the password.

Two security experts discovered the rogue computer code -- part of which was the denigrating comment "Netscape engineers are weenies!" -- buried within the three-year-old piece of software. It was apparently written by a Microsoft employee near the peak of the hard-fought wars between Netscape Communications and Microsoft over their versions of Internet-browser software. Netscape later was acquired by America Online.

One of the experts who helped identify the file is a professional security consultant known widely among the Internet underground as "Rain Forest Puppy." Despite his unusual moniker, he is highly regarded by experts and helped publicise a serious flaw in Microsoft's Internet-server software last summer that put hundreds of high-profile Web sites at risk of intrusion.

Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider."

"It's a serious flaw," Cooper said. "Chances are, you're going to find some major sites that still have it enabled." Lipner of Microsoft said the company will warn the nation's largest Web-site providers directly.

In an email to Microsoft earlier Thursday, Rain Forest Puppy complained that the affected code threatened to "improve a hacker's experience." Experts said the risk was greatest at commercial Internet-hosting providers, which maintain hundreds or thousands of separate Web sites for different organisations.

Lipner said the problem doesn't affect Internet servers running Windows 2000, or the latest version of its server extensions included in Frontpage 2000.

The digital gaffe initially was discovered by a Europe-based employee of ClientLogic. (www.clientlogic.com) of Nashville, Tennessee, which sells e-commerce technology. The company declined to comment because of its coming stock sale. The other expert, Rain Forest Puppy, said he was tipped off to the code by a ClientLogic employee.

When asked about the hidden insult Thursday, Jon Mittelhauser, one of Netscape's original engineers, called it "classic engineer rivalry."

What do you think? Tell the Mailroom. And read what others have said.